{"id":25707,"date":"2021-06-16T15:00:21","date_gmt":"2021-06-16T13:00:21","guid":{"rendered":"https:\/\/qodeinteractive.com\/magazine\/?p=25707"},"modified":"2021-06-17T09:43:55","modified_gmt":"2021-06-17T07:43:55","slug":"how-to-disable-rest-api-in-wordpress","status":"publish","type":"post","link":"https:\/\/qodeinteractive.com\/magazine\/how-to-disable-rest-api-in-wordpress\/","title":{"rendered":"How to Disable the JSON REST API in WordPress"},"content":{"rendered":"

[vc_row][vc_column][vc_column_text]Thanks to its flexibility and ease of use, the WordPress content management system (CMS) has become the most used platform for website creation. Its features are constantly being improved, and an ever-growing number of users, regardless of their programming experience, are given a chance to create a website. However, as a result of its constant improvement, some of the WordPress features are less known to the general WordPress community and, instead, are used mostly by developers. In this article, we will shine a light on one of those features\u2014the JSON REST API in WordPress. We will discuss what it is and whether you should disable it, as well as the steps you need to take to do that.
\n[\/vc_column_text][vc_empty_space height=”68px”][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

Why you may want to disable JSON REST API in WordPress<\/h2>\n

[\/vc_column_text][vc_column_text]The WordPress JSON REST API<\/a> is a developer-oriented feature that was introduced in the WordPress 4.4 update that still sparks controversy. REST or Representational State Transfer is a type of software architecture that is commonly used for creating interactive Web services. More precisely, it turns your website into an available web service. This means other applications or web services can extract some information available on your website by sending specific HTTP GET requests. The WordPress REST API relies entirely on structured JSON data, which is why some call it the JSON REST API. An example of JSON data, although unformatted, is shown below. This data is displayed when accessing the so-called REST API root route, created by adding \/wp-json to the end of your website\u2019s URL.[\/vc_column_text][vc_empty_space height=”50px”]

\n
\n \"WP <\/div>\n<\/div>[vc_empty_space height=”38px”][vc_column_text]Despite unformatted JSON data being hard to read, it still poses a security risk because some WordPress or user-related data could be publicly accessible by navigating to specific REST API routes. For example, by accessing the \/wp-json\/wp\/v2\/users <\/strong>route, you can access the user-related data of a certain website. Even though you can\u2019t retrieve the passwords of website users this way, simply knowing the usernames leaves the website vulnerable to brute-force attacks. Because of this, some WordPress users opt to disable the WordPress REST API. However, we advise gathering more information before you make your call.[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]It is important to understand that as the WordPress core files were updated and became more polished, the REST API improved as well. As a result, the use of REST API has become an integral part of many plugins and theme functionalities. Therefore, you should consult the authors of your current theme and plugins before disabling the REST API. Otherwise, you risk making some of the functionalities of your theme and plugins useless.
\n[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]Furthermore, you should be aware that even the current default WordPress editor\u2014Gutenberg\u2014relies on some REST API routes for editing pages and posts. If you are considering disabling REST API and Gutenberg is your preferred editor, you won\u2019t be able to publish or update pages and posts if you go through with the deactivation.
\n[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]Suffice to say, all this poses a significant issue. A potential solution that doesn\u2019t involve disabling REST API is restricting access to unauthenticated users on a route-by-route basis. We will cover how to do this while explaining how to use a plugin to disable the REST API below. Nevertheless, consulting with your theme and plugin authors is a must before trying to implement any restrictions. This is the only certain way to improve the overall security of your website without harming its functionalities.
\n[\/vc_column_text][vc_empty_space height=”80px”][vc_widget_sidebar sidebar_id=”new-top-picks-banner”][vc_empty_space height=”80px”][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

How to disable the JSON REST API in WordPress<\/h2>\n

[\/vc_column_text][vc_column_text]Now that you understand why someone might want, fully or partially, to disable the JSON REST API in WordPress, let\u2019s explain how it can be done. In the sections below, we will cover two possible methods\u2014using a WordPress plugin or using custom code.
\n[\/vc_column_text][vc_empty_space height=”72px”][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

Using a plugin<\/h3>\n

[\/vc_column_text][vc_column_text]There are a multitude of WordPress plugins on the market, which makes it relatively easy to find a suitable one for almost any purpose. In this case, we found the Disable REST API<\/a> plugin, which we\u2019ll use to outline the steps below. This plugin is very flexible\u2014it can serve to fully disable REST API or to disable some routes for specific user types only.[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]To fully disable JSON REST API in WordPress, you only need to install and activate this plugin<\/a>. This will disallow access to all JSON REST API routes to unauthenticated users by default.[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]This plugin also offers the possibility to partially allow or disallow REST API access. More precisely, it allows you to specify which routes can be accessed by unauthenticated users or users with specific user roles. To set this, navigate to Settings > Disable REST API<\/strong>. Then choose the appropriate user type with the Rules<\/em> for:<\/em> option<\/strong> and set the rules you want in the Manage Rules<\/em> section<\/strong> below.[\/vc_column_text][vc_empty_space height=”50px”]

\n
\n \"Settings <\/div>\n<\/div>[vc_empty_space height=”38px”][vc_column_text]To clarify, these rules allow or disallow the use of certain REST API routes. And those routes represent parts of the URL that you can attach to the REST API root URL (your-website-url\/wp-json\/) to get a specific type of data. In some cases, parts of those routes can include regular expressions. You can see examples of this in the screenshot above.
\n[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]With that being said, you can choose to set rules for unauthenticated users, as well as users of any user roles that are available on the website. Once you\u2019ve done that, you will get the option to either fully allow REST API access for a given user type or to manually set the access for each available route.
\n[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]To fully allow REST API access for a given user type, choose the Manage REST API Access<\/em> option and then toggle the switch next to each of the namespaces or routes available on your website. When you set the options according to your needs, don\u2019t forget to save them by clicking on the Save Changes<\/em> button at the bottom.<\/strong> After disallowing a route to a certain user type, those users will get an error message when trying to access it. It will look similar to the message shown below.[\/vc_column_text][vc_empty_space height=”50px”]
\n
\n \"WP <\/div>\n<\/div>[vc_empty_space height=”82px”][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n

Using custom code<\/h3>\n

[\/vc_column_text][vc_column_text]Most WordPress users tend to opt for the plugin method, as it is the easiest one to implement. But, there is another way of disabling the REST API, and that is by using custom code. The advantages of this method are that you can avoid additional plugins that could potentially slow or cause harm to your website. However, you can completely disable REST API using this method.
\n[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]The steps for it include placing a small code snippet inside the functions.php file of your theme or within a site-specific plugin<\/a>. We will show you how to do this using the functions.php file. However, before going any further, we recommend you make a backup of your website<\/a>. This is both good practice and a good precautionary measure. Once you\u2019ve done that, proceed as described below.[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]First, you will need to connect to your server<\/strong> using your FTP credentials and navigate to the root WordPress directory<\/strong>, often called public_html.[\/vc_column_text][vc_empty_space height=”50px”]

\n
\n \"Public <\/div>\n<\/div>[vc_empty_space height=”38px”][vc_column_text]Then, navigate to the \/wp-content\/themes directory<\/strong> and click on the directory of your currently active theme to open it. Locate the functions.php file<\/strong> within, right-click on it,<\/strong> and select the View\/Edit<\/em> option<\/strong> from the dropdown menu.[\/vc_column_text][vc_empty_space height=”50px”]
\n
\n \"WP-Content <\/div>\n<\/div>[vc_empty_space height=”38px”][vc_column_text]Open the file<\/strong> using your preferred text editor and add the following code<\/strong> at the bottom of it.[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]<\/p>\n
function qode_disable_rest_api( $access ) {\r\nreturn new WP_Error( 'rest_disabled', __( 'The WordPress REST API has been disabled.' ), array( 'status' => rest_authorization_required_code() ) );\r\n}\r\nadd_filter( 'rest_authentication_errors', 'qode_disable_rest_api' );<\/pre>\n
[\/vc_column_text][vc_empty_space height=”50px”]
\n    
\n                                    \"FTP                        <\/div>\n<\/div>[vc_empty_space height=”38px”][vc_column_text]Then, save the changes<\/strong> you made to the file and upload it back to the server<\/strong>, to override its older version there.[\/vc_column_text][vc_empty_space height=”28px”][vc_column_text]After that, check whether everything works as it should<\/strong> by examining one of the JSON REST API routes that are present on your website. If you\u2019ve successfully disabled REST API for your WordPress website, you will get an error message when trying to access that route.[\/vc_column_text][vc_empty_space height=”50px”]
\n    
\n                                    \"WP                        <\/div>\n<\/div>[vc_empty_space height=”38px”][vc_column_text]However, keep in mind that this code will disallow access to all REST API routes, unlike the plugin method which provides varied allow\/disallow options. Therefore, you need to decide which of these two methods suits your needs better.
\n[\/vc_column_text][vc_empty_space height=”68px”][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n
Final Thoughts<\/h2>\n
[\/vc_column_text][vc_column_text]The WordPress REST API is a very useful, developer-oriented feature that users of all skill levels should get to know. It allows you to quickly interact with the website using appropriate HTTP requests. However, there is an open debate regarding its usefulness as opposed to the potential harm it can cause a website. In this article, we presented some of the points from that debate and covered the ways how you can disable the WordPress REST API. Since the methods that we described are relatively easy, we are confident that you will be able to disable the JSON REST API for your site in minutes.
\n[\/vc_column_text][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"
Increase your site’s security by learning how to disable REST API in WordPress. We’ll take you through this process that will help protect your data.<\/p>\n","protected":false},"author":11229,"featured_media":25723,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[4,13],"class_list":["post-25707","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","tag-tips","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/25707","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/users\/11229"}],"replies":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/comments?post=25707"}],"version-history":[{"count":0,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/posts\/25707\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media\/25723"}],"wp:attachment":[{"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/media?parent=25707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/categories?post=25707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qodeinteractive.com\/magazine\/wp-json\/wp\/v2\/tags?post=25707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}